Article 28(1)

1. Each controller and processor shall maintain regularly updated documentation necessary to fulfill the requirements laid down in this Regulation.

Article 28(2)

2. In addition, each controller and processor shall maintain documentation of the following information:

• (a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any;
• (b) the name and contact details of the data protection officer, if any;
• (ba) the name and contact details of the controllers to whom personal data are disclosed, if any.
• (c) (deleted)
• (d) (deleted)
• (e) (deleted)
• (f) (deleted)
• (g) (deleted)
• (h) (deleted)

Article 28(3)

3. (deleted)

Article 28(4)

4. (deleted)

Article 28(5)

5. (deleted)

Article 28(6)

6. (deleted)

[Source: October 2013]

Article 28(1) [Amended: October 2013]

1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.

Article 28(2) [Amended: October 2013]

2. The documentation shall contain at least the following information:

• (a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any;
• (b) the name and contact details of the data protection officer, if any;
• (c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
• (d) a description of categories of data subjects and of the categories of personal data relating to them;
• (e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;
• (f) where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards;
• (g) a general indication of the time limits for erasure of the different categories of data;
• (h) the description of the mechanisms referred to in Article 22(3).

Article 28(3) [Deleted: October 2013]

3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.

Article 28(4) [Deleted: October 2013]

4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:

• (a) a natural person processing personal data without a commercial interest; or
• (b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.

Article 28(5) [Deleted: October 2013]

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.

Article 28(6) [Deleted: October 2013]

6. The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Source: January 2012 | Context: Proposal from the European Commission]